- (Exam Topic 1)
Which of the following may unilaterally deem a cloud hosting model inappropriate for a system or application?

1. A. Multitenancy
2. B. Certification
3. C. Regulation
4. D. Virtualization

Correct Answer: C
Some regulations may require specific security controls or certifications be used for hosting certain types of data or functions, and in some circumstances they may be requirements that are unable to be met by any cloud provider.

- (Exam Topic 4)
Key maintenance and security are paramount within a cloud environment due to the widespread use of encryption for both data and transmissions.
Which of the following key-management systems would provide the most robust control over and ownership of the key-management processes for the cloud customer?

1. A. Remote key management service
2. B. Local key management service
3. C. Client key management service
4. D. Internal key management service

Correct Answer: A
A remote key management system resides away from the cloud environment and is owned and controlled by the cloud customer. With the use of a remote service, the cloud customer can avoid being locked into a proprietary system from the cloud provider, but also must ensure that service is compatible with the services offered by the cloud provider. A local key management system resides on the actual servers using the keys, which does not provide optimal security or control over them. Both the terms internal key management service and client key management service are provided as distractors.

- (Exam Topic 1)
Why does a Type 2 hypervisor typically offer less security control than a Type 1 hypervisor?

1. A. A Type 2 hypervisor runs on top of another operating system and is dependent on the security of the OS for its own security.
2. B. A Type 2 hypervisor allows users to directly perform some functions with their own access.
3. C. A Type 2 hypervisor is open source, so attackers can more easily find exploitable vulnerabilities with that access.
4. D. A Type 2 hypervisor is always exposed to the public Internet for federated identity access.

Correct Answer: A
A Type 2 hypervisor differs from a Type 1 hypervisor in that it runs on top of another operating system rather than directly tied into the underlying hardware of the virtual host servers. With this type of implementation, additional security and architecture concerns come into play because the interaction between the operating system and the hypervisor becomes a critical link. The hypervisor no longer has direct interaction and control over the underlying hardware, which means that some performance will be lost due to the operating system in the middle needing its own resources, patching requirements, and operational oversight.

- (Exam Topic 4)
Cryptographic keys for encrypted data stored in the cloud should be ________.

1. A. Not stored with the cloud provider.
2. B. Generated with redundancy
3. C. At least 128 bits long
4. D. Split into groups

Correct Answer: A
Cryptographic keys should not be stored along with the data they secure, regardless of key length. We don’t split crypto keys or generate redundant keys (doing so would violate the principle of secrecy necessary for keys to serve their purpose).

- (Exam Topic 4)
Identity and access management (IAM) is a security discipline that ensures which of the following?

1. A. That all users are properly authorized
2. B. That the right individual gets access to the right resources at the right time for the right reasons.
3. C. That all users are properly authenticated
4. D. That unauthorized users will get access to the right resources at the right time for the right reasons

Correct Answer: B
Options A and C are also correct, but included in B, making B the best choice. D is incorrect, because we don’t want unauthorized users gaining access.